Aza Raskin from the Mozilla Firefox team found a pretty interesting new type of phishing attack that uses automatic change of favicon icon to make one of your tabs look like another web site.
The attack goes like this:
1. A user navigates to your normal looking site.
2. You detect when the page has lost its focus and hasn’t been interacted with for a while.
4. As the user scans their many open tabs, the favicon and title act as a strong visual cue—memory is malleable and moldable and the user will most likely simply think they left a Gmail tab open. When they click back to the fake Gmail tab, they’ll see the standard Gmail login page, assume they’ve been logged out, and provide their credentials to log in. The attack preys on the perceived immutability of tabs.
5. After the user has enter they have entered their login information and sent it back your your server, you redirect them to Gmail. Because they were never logged out in the first place, it will appear as if the login was successful.
Video showcasing the attack:
Proof of concept is available over here. Note that this is the blog post about the issue, but the page changes into fake Gmail.